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DETAILED ACTION 



Double Patenting 



The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in 
public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise 
extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple 
assignees. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 
F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); 
In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and, In re Thorington, 418 F.2d 528, 163 
USPQ 644 (GCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1 .321 (c) may be 
used to overcome an actual or provisional rejection based on a nonstatutory double 
patenting ground provided the conflicting application or patent is shown to be commonly 
owned with this application. See 37 CFR 1.130(b). 

Effective January 1, 1994, a registered attorney or agent of record may sign a 
terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 
37 CFR 3.73(b). 



Claims 1-22 are. provisionally rejected under the judicially created doctrine of 
obviousness-type double patenting as being unpatentable over claims 1-20 of 
copending Application No. 09/584252. Although the conflicting claims are not identical, 
they are not patentably distinct from each other because the claims of this application 
are broader than the claims 1 -20 of copending application. These claims do not 
expressly specify that a virtual local area network switch having a plurality of ports for 
connecting each client to at least one of the plurality of computer resources as recited in 
independent claims 1 and 13 of the co-pending application. These claims recite that a 
virtual private network (VPN) terminal device (corresponding to the recited switch) 
securely connecting a plurality of client computers to a plurality of virtual local area 
network (VLAN) in order to access resources on at least one of the computers in one of 
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the plurality of VLANs. The combined limitations of claims 1 , 2, and 5 of the pending 
application correspond to the limitations of claim 1 in the co-pending application. The 
pending claim 1 recites that each of the plurality of client computers is associated with 
at least one virtual private network connection, wherein the client computers are 
remotely connected to at least one virtual private network termination device, and 
wherein said at least one virtual private network connection is established by said at 
least one virtual private network termination device. This limitation corresponds to "a 
plurality of client connection ports connected to said virtual local area network switch" 
recited in claim 1 of the co-pending application. Claim 2 of the pending application 
recites that "each of the at least one virtual private network connections is uniquely 
associated with one of said plurality of virtual local area networks, so that a one to one 
correspondence exists between said at least one virtual private network connection and 
said plurality of virtual local area networks" which corresponds to the recitation "isolating 
said plurality of client connection ports from one another so that each of said client 
connection ports may be connected to at least one of said plurality of secure computer 
environments on said plurality of computers" in claim 1 of the co-pending application. 
Claim 5 of the pending application recites that a configuration engine in the shared 
computer system configures the at least one virtual private network termination device 
(i.e., switch) which is disclosed in the claim 1 of the co-pending application. 

This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 
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Claim Rejections - 35 USC § 103 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-22 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
McNeil et al. (6,167,052; hereinafter McNeil) in view of Ahmed et al. (5,432,785; 
hereinafter Ahmed). 

Claims 1, 2, 5, and 16 

McNeil discloses methods and systems for establishing network connectivity by 
creating virtual LANs within a domain (corresponding to the recited shared computer 
system) (see abstract; Figs 1-2; col. 2, lines 17-29). McNeil further discloses that each 
VLAN includes at least one station (corresponding to the recited computer resources) 
(i.e., associating each station with a VLAN) (see col. 1 lines 30-40 and col. 3, lines 6- 
16). McNeil also discloses that the computers in different VLANs are connected to at 
least one switch (corresponding to the recited terminal device) having one or more ports 
(see Fig. 1 and col. 3, lines 9-30). McNeil discloses the deployment of a management 
station corresponding to the recited configuration engine connected to at least one 
switch in order to configure the switches and establishes connectivity (see Fig.1 , 
Domain 116P, Station 124M; col. 2, lines 35-50; col. 4, lines 9-11 and lines 38-41; col. 
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5, lines 1-14). McNeil, however, does not expressly disclose that the clients who are 
remotely connecting to the stations in VLANs at least through one switch, are 
associated with at least one virtual private network (VPN) connection. 

Ahmed discloses a broadband VPN system in which customers (corresponding 
to the recited client computers) are connecting to a switching system through at least 
one VPN connection and connecting to another switching system through a virtual path 
link within a public network and finally to the desired computer resources (see Figs. 1-4; 
col. 2, lines 46-67; col. 3, lines 5-67; col. 6, lines 3-23). Ahmed also discloses that there 
ports on the switches for monitoring the traffic on each VPN connection (see col. 3, lines 
20-27 and col. 6, lines 40-53). Moreover, as it illustrated by Fig. 4, Ahmed teaches that 
each customer is associated with at least one VPN connection at the switching system. 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to implement the VPN connectivity for each client through at least 
one switch port to a remote location as taught in Ahmed in the system of McNeil, 
because it would provide protected virtual private channel connections (corresponding 
to the recited a one to one correspondence) between clients and computer resources 
(i.e., isolating the VPNs connections from one another) (col. 3, lines 9-26). 

Claim 3 

McNeil discloses that clients from other domains or VPNs can connect to VLANs 
through one switch (see Fig. 2, where clients that may be associated with a VPN 
connect to VLANs 140a, 140b and 140c via switch 128.1 shown in Fig. 1). Since the 
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traffic is forwarded either based on the MAC addresses or switch ports, thus, for 
example, the VPN connections are uniquely associated with one of the VLANs 
(abstract; col. 2, lines 38-50; col. 3, lines 7-16). 

Claim 4 

McNeil discloses a management station corresponding to the recited 
configuration engine connected to the switch 128.1, in order to configure this switch to 
provide outside connection to computer resources (i.e., clients VPNs connections to the 
VLANs) (see, for example, col. 2, lines 35-50 and Fig. 1 , Domain 1 16P, Station 124M, 
where clients from other domains or via Internet can connect to computers in domain 
116P through switch 128.1). 

Claims 6 and 19 

It is assumed that "configuration engine reading computer requirements from at 
least one client" means to configure secure environments in portions of the secure 
computer system according to client needs (page 3 of the specification, lines 32-33). 
McNeil discloses that connection for client to access resources on the network is 
restricted and provided based on some criteria (see, for example, col. 1, line 54-col. 2, 
lines 5; col. 10, lines 15-24). 
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Claim 7 

It is assumed that "configuration engine calculating an optimum allocation of said 
plurality of computer resources to meet said computer requirements of said at least one 
client" means that the automating code 74 in the configuration engine 42 (see Fig. 2) 
may include load balancing systems or brokering systems which receive requests for 
computer resources 12 from clients and which automatically allocate resources 12 
according to client need and priority, and resource availability (page 10 of the 
specification, lines 6-1 1 ). McNeil discloses that connection for client to access 
resources on the network is restricted and provided based on some criteria (see, for 
example, col. 1, line 54-col. 2, lines 5; col. 10, lines 15-24). 

Claim 8 

This claim is rejected as applied to like elements of claim 3 stated above. 
Claim 9 

Ahmed teaches that the customers connect to the computer resources through a 
dedicated line (col. 7, lines 1-6). 

Claims 10 and 11 

McNeil discloses that the implemented switches allow users to access resources 
over the Internet. See, for example, Fig. 1 that users are allowed to access, for 
example, Station 124.1 over the Internet 170 and through Switch 128.1. 
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Claim 12 

Ahmed teaches that customers connect to the resources on the shared computer 
system with a broadband line connection (see col. 3, line 50-col. 4, Iine20). 

Claims 13 and 21 

McNeil discloses that management station creates access control lists (ACLs) 
and allow connections based on the ACLs, which corresponds to the recited 
authenticating client identification before configuring at least one VLAN (see, for 
example, col. 2, lines 26-34; col. 3, line 65-col. 4, line 6; col. 6, lines 14-24). 

Claims 14, 15 and 20 

McNeil discloses that firewalls are also used to further control the access of 
users to the resources on a shared system and a management station for configuring 
the domain (see, for example, col. 2, lines 1-5 and lines 35-40; col. 9, lines 32-49). 

Claims 17 and 18 

McNeil discloses that the management station includes software and provides a 
graphical user interface for network administrator to configure the VLAN (see, for 
example, abstract; Fig. 1 ; col. 4, lines 38-41 ; col. 9, lines 35-43). 
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Claim 22 

McNeil discloses a plurality of stations (corresponding to the recited computer 
resources) scattered in different domains (see Figs. 1-2). The stations in each domain 
are grouped in one or more VLANs (see Figs. 1-2). McNeil further discloses that VLANs 
are implemented by the LAN switches (col. 1 , lines 61-62). Clients from another domain 
or via Internet access the computer resource in each VLAN through a switch using IP 
addresses (col. 1, lines 40-53). The IP address is translated to a MAC address by 
routers normally located at the edge of each network (col. 1, lines 50-53). A switch 
restricts traffic to a VLAN (col. 1, lines 63-65) and forwards packets based on a station's 
MAC address only if that station exists in the VLAN (col. 1, lines 46-47 and col. 3, lines 
7-9). Furthermore, McNeil discloses that each port of a switch connected to specific 
segment of the network (col. 3, lines 11-16). Thus, a switch isolates connection of a 
client to a station in one VLAN from other stations on another VLAN or in the same 
VLAN that corresponds to the recited securely connecting a client to a portion of shared 
computer system while isolating that portion from other portions of the system. For 
example, Fig. 2 illustrates that when a client accesses a resource on VLAN 140a, its 
connection is isolated from VLAN 140b and VLAN 140c. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

US Patent No. 5,920,699 to Bare. 
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US Patent No. 5,968,176 to Nessett et al. 

US Patent No. 6,717,913 B1 to Ghahremani et al. 

US Patent No. 6,414,958 B1 to Specht. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Abdulhakim Nobahar whose telephone number is 703- 
305-8074. The examiner can normally be reached on M-F 8-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 703-305-1830. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Abdulhakim Nobahar 
Examiner 
Art Unit 2132 
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SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




